How to prevent collisions when generating registration activation keys?

I'm working on a big project's registration system.

After successful signup, the server generates some activation key, adds it to user's row and sends it to user by email. Using some password generator class for this purpose.

The question is (I know that it sounds abstract but I just wonder), how to avoid duplicate pass generation? I mean, is there any chance that in future generator can create the activation key that already exists in db table? Should I check for duplication after key generation?

-------------Problems Reply------------

Try out uniqid().

I would recommend using the Text_Password package from PEAR. Don't try to reinvent this wheel.

Don't force passwords to be strictly unique. It's actually less secure to have that enforcement. Consider that if I try to set my password to xyzzy and the site tells me I can't, that means now I know some account is using xyzzy as a password. I just have to try that password on all accounts until I find which one.

Don't use a hash digest as a generated password. Your users don't want to type in a hex string of 32 character (or longer). I have had the experience of coding a secure software activation key package in 2001, using PKI and MD5 hashes. But no one would use it because the keys were too long.

Do use a hash digest and salt to store passwords. Read this article by our fearless leader: You're Probably Storing Passwords Incorrectly.

See also my answers to a few other password-related questions:

  • How to generate random password, or temporary URL, for resetting password in Zend Framework?
  • PHP & MySQL compare password
  • What data type to use for hashed password field and what length?
  • How large should my password salt be?

Using a hash algorithm like SHA or Whirlpool with a unique input (like the users' unique username) will result in a hash that has an expected collision rate of 0.

I wouldn't roll my own algorithm for this. uniqid() or md5(), as mentioned, are guaranteed solutions.

You could use the time, but it won't be "random" you'd have to add some randomness to it...

$key = md5(time());

Use GUID as your registration key, as it is always unique and generated by system

Category:php Views:0 Time:2011-11-11

Related post

  • can not get in to office free trial 2010 when i press 1 click here to request your trial activation key on line it says unable to request your trial activation key help!!! 2014-05-31

    Why can i not use my free trial? --------------Solutions------------- Did you have any Office 2010 trial installed in this computer before? Have you used the same email ID to generate the trial Product key before? Try downloading a different Office 2

  • How to prevent GWT from generating inline styles? 2011-01-10

    When I, for example, add a SimplePanel to my page I get a div like <div style="position: relative; " class="myClass" ... This inline style overrides my custom style defined for myClass. How to prevent GWT from generating this inline style ? Or how

  • How can I prevent Doctrine from generating SQL for a specific table? 2011-04-05

    I have a huge table, that I want to use in Symfony/Doctrine, but I don't want Doctrine populating it every time I re-generate my table schemas, because it's huge, it takes too long to import, it wouldn't work well if I'd put it in the fixtures. How c

  • How to Prevent Ckecksum() from generating Duplicate Values in sql server 2011-07-28

    As it is known there is a probable chance of checksum Generating duplicate values, and I am suppossed to find an approach which prevents checksum from generating Duplicate Values... Please Help Thanks n Regards --------------Solutions------------- Yo

  • Generating activation key from serial number 2011-09-22

    I have devices with unique serial number (string incremetation) ex : AS1002 and AS1003. I need to figure out an algorithm to produce a unique activation key for each serial number. What would be the best approach for this ? Thanks ! (This has to be d

  • Preventing session expiration if user active 2011-10-05

    I have mini content management sytem with basic login system. I wonder, how to prevent session expiration if user active for ex. typing content or something else? Is there any way to do it? How can i rearm the session every time an interaction takes

  • Devise not generating registration paths/ routes 2011-10-26

    I have created a new project using devise login according to Ryan Bates' railscast. It does not have the registration routes (unlike a previous project I made, with exactly the same steps) shows the two 'rake routes' commands. The top shell is my pre

  • How to implement a registration activity in android that works only for once? 2012-01-26

    I'm designing an application that has an activity for registration process, this activity launches on default. I want this activity to be disabled forever once the registration process has been completed successfully and then it should be replaced by

  • Generate a Unique Key 2011-07-03

    What’s the best way of generating a unique key, that can’t be guessed easily? I would like to create a unique key for both account activation and referral purposes, that includes a checksum to help prevent users from easily guessing other users activ

  • can't read my activation key! 2012-07-08

    in 2013 office home and student (windows 8), as i was trying to scratch off the covering of the activation key, the first 10 digits became unreadable. what do i do now? who do i call???? bought it at best buy, but i'm assuming this is a microsoft iss

  • Lost Activation key 2011 2013-02-11

    I purchased Office for Mac 2008 student from PC world when I bought my iMac this came with a free upgrade to Office 2011. I have been having problems installing update 14.2.4 so i followed the recommendations for resolving this and removed 2011 from

  • Is there any way to find my hardware serial number from a Windows Activation key? 2013-04-14

    My wife had a netbook stolen at her high school. She has a record of the Windows Activation Key that was used to upgrade this machine from Windows 7 Starter to Windows 7 Home Premium. Unfortunately, she does not have a record of the serial number of

  • What is the best way to generate a random key within PHP? 2009-03-12

    I'm looking to create a reusable function that will generate a random key with printable ACSII characters of chosen length (anywhere from 2 to 1000+). I'm thinking printable ASCII characters would be 33-126. They key does not need to be completely un

  • where to save activation key 2009-09-01

    I am using C# and have a key the users enters to activate my program. I do not want the user to be able to see the key once it is entered. Do you have any recommendations for how/where to store it? --------------Solutions------------- You can save th

  • Can I use PBKDF2 to generate an AES256 key to encrypt and implicitly authenticate? 2010-12-01

    I have 2 devices and I want to set up a secure communication channel between them. The only shared secret is a (7- to 20- character ASCII) passphrase. If I use PBKDF2 (from RFC 2898) with a common salt, iterations, and passphrase to generate an AES25

  • Generating a Unique Key on using C# 2011-04-28

    i want to generate a unique key in my web service (WCF) , to asign to a user, it should be minimum 32bit, what is the best way to di it, It would be asigned as a registration number for that user , and would be valid for 23 days, i thought of using t

  • Why is schemaexport generating 2 foreign keys? 2011-06-12

    I'm using fluentnhibernate on SQL Server 2008. I have to objects Staff public class Staff : BaseEntity { public virtual string UserName { get; set; } public virtual string FirstName { get; set; } public virtual string LastName { get; set; } public vi

  • Is it secure to remove special character from activation key 2012-02-22

    In my application I am creating a activation key of 64 characters. It is having special characters like + = While framing url we are doing url encode. But if user do a copy of the url from his email client , in some client url is getting url decoded.

  • Is there any possibilities to generate same hash key using md5? 2012-04-26

    am generating unique api keies using this function and storing into database. strtoupper( md5( uniqid(rand(), TRUE ) ) ); is thr any possiblities of generating same hash key by above function??? --------------Solutions------------- Even though the un

Copyright (C), All Rights Reserved.

processed in 0.133 (s). 11 q(s)